<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability



Still wrong, No DoS. The server responds to further requests, after the dialog 
box appears:
192.168.1.5
 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 
500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico 
HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 
2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Tile.gif HTTP/1.1" 200 1866

Some explanation:
In desktop mode the application is interactive, but when installed as a system 
service it isn't.

Of course the preferred installation for a production server ist a system 
service. On the other hand, the (interactive) desktop application is the choice 
for web application development.

Finally the ISAPI example (!!!) files can be deleted or a simple filter in the 
server configuration can be used in order to hide these files:

1.) either extend the mapping directive:
Mapping Condition="&or(&regexp('*.dll*',$U),&regexp('*.dll',$f))" ISAPIMapper 
From="/isapi/" To="Isapi\"

or 2.) extend the ISAPI handler object:
CheckPath Condition="&not(&or(&regexp('*.dll*',$U),&regexp('*.dll',$f)))" 
StatusCode StatusCode="404"

Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.

This is simple configuration work as described in the server documentation. So 
what? I still cannot see any reason for a DoS vulnerability in this case.

Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples 
delivered and installed with the server in an internet environment. The default 
configuration template for internet is internet.pi3 and this is of course 
without ISAPI mapping per default.

Finally there's still the fact, that wrong (server version) and incomplete 
(installation options, OS version) information has been posted without giving 
me the chance for analysis. I'm the only person in the Pi3Web project and I do 
this in my rare spare time (normally at the weekend).
--
regards,
Holger Zimmermann